Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
com
http://www.packet6.com/installing-snort-on-centos/
Install ntpdate
[root@snort-beta]# yum install -y ntpdate
[root@snort-beta]# ntpdate 0.us.pool.ntp.org
Install Dependencies
Were going to install some dependencies which will be needed going forward. Since we are also using CentOS
minimal we will need to install a few applications.
yum install -y wget gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcredevel tcpdump mysql mysql-server mysql-devel git libtool curl man
Now lets create a temporary directory to store some files we will be downloading.
mkdir tmp && cd tmp
Next we need to install more dependencies.
wget http://pkgs.repoforge.org/libdnet/libdnet-1.11-1.1.el3.rf.x86_64.rpm
wget http://pkgs.repoforge.org/libdnet/libdnet-devel-1.11-1.1.el3.rf.x86_64.rpm
Use the rpm command to install the dependencies we just downloaded.
rpm -i libdnet-1.11-1.1.el3.rf.x86_64.rpm
rpm -i libdnet-devel-1.11-1.1.el3.rf.x86_64.rpm
Install Snort
Im downloading the rpm files from Snort.org
yum install -y https://www.snort.org/downloads/snort/daq-2.0.2-1.centos6.x86_64.rpm
Test Snort
Use this command to run Snort in test mode. It will tell you if there is anything wrong with running Snort.
snort -T -i <interface-name> -u snort -g snort -c /etc/snort/snort.conf
If you get this error:
snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or
directory
Modify /etc/sysconfig/snort
Modify the Snort sysconfig file which holds variables for the startup file:
Change the interface which Snort is using to the interface you will use on your server to sniff traffic.
Comment out ALERTMODE and BINARY_LOG. If you dont do this your alerts will not write to the MySQL
database in a later setup.
Viewing Logs
If the self-test runs successfully you can run Snort without the -T switch and replace it with a -D, for daemon. It will
run Snort in the background. Once Snort is running and sniffing traffic, it should output to /var/log/snort.
The snort.log file will be in Unified2 format which means you cant open it in Wireshark. Anything Snort thinks is
bad will trigger an alert. All alerts go into a file called alert within /var/log/snort/.
For now, you have Snort running and dumping logs into a directory. Next up in this series I will discuss auto
updating your Snort rule sets using Pulledpork.
Resources
My working snort.conf file. Ive disabled most of the rules except one. This was only to get a simple test going.
Here is an example of my /etc/sysconfig/snort file.